Rsyslog Forwarder HA Charm

Merge ~pguimaraes/charm-rsyslog-forwarder-ha/+git/rsyslog-forwarder-ha-charm:master into ~rsyslog-charmers/charm-rsyslog-forwarder-ha:master

  1. Git
  2. lp:~pguimaraes/charm-rsyslog-forwarder-ha/+git/rsyslog-forwarder-ha-charm
  3. master
  4. Merge into master
Proposed by Pedro Guimarães
Status: Merged
Merge reported by: Edward Hope-Morley
Merged at revision: 4eb0394f48da04737374437ee0f1a734dbffded2
Proposed branch: ~pguimaraes/charm-rsyslog-forwarder-ha/+git/rsyslog-forwarder-ha-charm:master
Merge into: ~rsyslog-charmers/charm-rsyslog-forwarder-ha:master
Diff against target: 133 lines (+43/-3)
6 files modified
config.yaml (+4/-0)
hooks/hooks.py (+32/-2)
metadata.yaml (+1/-0)
templates/certificate.template (+4/-0)
tests/unit/test_basic.py (+1/-0)
tox.ini (+1/-1)
Reviewer Review Type Date Requested Status
Edward Hope-Morley Approve
Review via email: mp+360187@code.launchpad.net

Commit message

* update Rsyslog to work with Bionic
* add TLS support to communicate with rsyslog servers
* add option to import certificate: juju config rsyslog-forwarder-ha cert=$(base64 -w0 CERT_FILE_AND_PATH)
* updated unit tests accordingly
* added py36 support on tox for unit tests
LP: #1807124, #1796973, #1797162

Description of the change

* update Rsyslog to work with Bionic
* add TLS support to communicate with rsyslog servers
* add option to import certificate: juju config rsyslog-forwarder-ha cert=$(base64 -w0 CERT_FILE_AND_PATH)
* updated unit tests accordingly
* added py36 support on tox for unit tests
LP: #1807124, #1796973, #1797162

To post a comment you must log in.
Revision history for this message
Edward Hope-Morley (hopem) wrote :

Hi thanks for this patch. There are multiple things being fixed/added here so typically it should be split into separate patches but since the cert change is pretty isolated i thinks its ok land in one. I would however like to hear more about what testing has been done specifically for Bionic since iiuc the rsyslog and rsyslog-forwarder-ha have never has formal Bionic testing. Also I see that you have added rsyslog-gnutls as a dep but on my Xenial system that is not installed by default.

review: Needs Fixing
Revision history for this message
Pedro Guimarães (pguimaraes) wrote :

> Hi thanks for this patch. There are multiple things being fixed/added here so
> typically it should be split into separate patches but since the cert change
> is pretty isolated i thinks its ok land in one. I would however like to hear
> more about what testing has been done specifically for Bionic since iiuc the
> rsyslog and rsyslog-forwarder-ha have never has formal Bionic testing. Also I
> see that you have added rsyslog-gnutls as a dep but on my Xenial system that
> is not installed by default.

Yes, there were multiple small fixes but my main targets are Bionic and TLS support. So, the rsyslog-gnutls does not come installed by default and it is setup during install hook (line 198/199 on hooks/hooks.py). That package enables "gtls" option on rsyslog configs.
To test everything, I've strictly followed this step-by-step: https://www.rsyslog.com/doc/master/tutorials/tls.html?highlight=defaultnetstreamdrivercafile and used logger to send messages from client-side.
The main bundle for this test was: https://pastebin.canonical.com/p/Ksf5Jx9D8G/

Revision history for this message
Edward Hope-Morley (hopem) wrote :

Excellent thanks for that info Pedro. I'm deploying your bundle now to check it for myself and will +1 once complete.

Revision history for this message
Edward Hope-Morley (hopem) wrote :

lgtm +1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/config.yaml b/config.yaml
2index ab55f59..6fd48cb 100644
3--- a/config.yaml
4+++ b/config.yaml
5@@ -1,4 +1,8 @@
6 options:
7+ cert:
8+ type: string
9+ default: ""
10+ description: TLS certificate in base64 format to access rsyslog server
11 log-locally:
12 type: boolean
13 default: false
14diff --git a/hooks/hooks.py b/hooks/hooks.py
15index 0069817..16aa879 100755
16--- a/hooks/hooks.py
17+++ b/hooks/hooks.py
18@@ -42,11 +42,15 @@ from model import Server, session
19 from utils import get_template_dir, get_template
20 from utils import __die as die
21
22+import base64
23+import subprocess
24+
25 required_packages = [
26 'rsyslog',
27 'rsyslog-relp',
28 'python-jinja2',
29- 'python-sqlalchemy'
30+ 'python-sqlalchemy',
31+ 'rsyslog-gnutls'
32 ]
33
34
35@@ -54,11 +58,35 @@ IMFILE_FILE = '/etc/rsyslog.d/40-rsyslog-imfile.conf'
36 LOGS_TEMPLATE = 'keep_local.template'
37 LOGS_SYSTEM_FILE = '/etc/rsyslog.d/50-default.conf'
38 REPLICATION_FILE = '/etc/rsyslog.d/45-rsyslog-replication.conf'
39-
40+CERT_FILE = '/etc/rsyslog.d/42-cert-rsyslog.conf'
41
42 hooks = Hooks()
43
44
45+def update_certfile():
46+ # Check:
47+ # https://www.rsyslog.com/doc/master/tutorials/tls.html?highlight=defaultnetstreamdrivercafile
48+ if config_get('cert'):
49+ if len(config_get('cert')) > 0:
50+ subprocess.check_output(['mkdir','-pv','/etc/rsyslog.d/keys/ca.d'])
51+ encoded_cert=config_get('cert')
52+ cert=base64.b64decode(encoded_cert)
53+ with open("/etc/rsyslog.d/keys/ca.d/rsyslog.crt","w") as c:
54+ c.write(cert)
55+ c.close()
56+
57+ if not config_get('cert'):
58+ if os.path.exists(CERT_FILE):
59+ os.remove(CERT_FILE)
60+ return
61+ if len(config_get('cert')) == 0:
62+ if os.path.exists(CERT_FILE):
63+ os.remove(CERT_FILE)
64+ return
65+
66+ with open(CERT_FILE, 'w') as fd:
67+ fd.write(get_template('certificate').render())
68+
69 def update_imfile(imfiles):
70 if imfiles == []:
71 if os.path.exists(IMFILE_FILE):
72@@ -169,6 +197,7 @@ def install():
73 for package in required_packages:
74 apt_install(package, fatal=True)
75
76+ update_certfile()
77 update_local_logs(
78 keep=config_get('log-locally'))
79
80@@ -224,6 +253,7 @@ def upgrade_charm():
81 def config_changed():
82 update_local_logs(config_get("log-locally"))
83 update_imfile(config_get("watch-files").split())
84+ update_certfile()
85 update_replication()
86 update_nrpe_config()
87
88diff --git a/metadata.yaml b/metadata.yaml
89index b1bc49c..ecef969 100644
90--- a/metadata.yaml
91+++ b/metadata.yaml
92@@ -8,6 +8,7 @@ tags:
93 - audits
94 - ops
95 series:
96+ - bionic
97 - xenial
98 - trusty
99 provides:
100diff --git a/templates/certificate.template b/templates/certificate.template
101new file mode 100644
102index 0000000..460159b
103--- /dev/null
104+++ b/templates/certificate.template
105@@ -0,0 +1,4 @@
106+$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/rsyslog.crt
107+$DefaultNetstreamDriver gtls
108+$ActionSendStreamDriverMode 1
109+$ActionSendStreamDriverAuthMode anon
110diff --git a/tests/unit/test_basic.py b/tests/unit/test_basic.py
111index bc07bd7..85991f8 100644
112--- a/tests/unit/test_basic.py
113+++ b/tests/unit/test_basic.py
114@@ -70,6 +70,7 @@ class HooksTestCase(unittest.TestCase):
115 mock.call("rsyslog-relp", fatal=True),
116 mock.call("python-jinja2", fatal=True),
117 mock.call("python-sqlalchemy", fatal=True),
118+ mock.call("rsyslog-gnutls", fatal=True),
119 ]
120
121 self.assertEquals(sorted(self.apt_install.call_args_list),
122diff --git a/tox.ini b/tox.ini
123index ac45fdc..401fdb2 100644
124--- a/tox.ini
125+++ b/tox.ini
126@@ -1,6 +1,6 @@
127 [tox]
128 skipsdist=True
129-envlist = py34, py35
130+envlist = py34, py35, py36
131 skip_missing_interpreters = True
132
133 [testenv]

Subscribers

People subscribed via source and target branches